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ft  VoIP  Security  Alert:  Hackers  Start 
Attacking  For  Cash  (June  2006) 


■ft  Two  Men  Charged  With  Hacking  Into 
VoIP  Networks  (June  2006) 

■ft  The  Internet's  a Scary  Place  for  Voice 
(May  2006) 

ft  Is  Your  VoIP  Phone  Vulnerable? 

(June  2006) 

ft  Are  Hackers  Eyeing  your  VoIP  Network? 
(Sept.  2006) 

ft  VoIP  Security:  It's  More  Than  Data  Security 
(Aug.  2006) 


Security  Concerns 


i 

DoS  attacks  and  overloads  of 
next  gen  voice  service 
infrastructure 


User/device  authentication 
and  authorization 


User  privacy  and  confidentiality 


Service  fraud 


Service  topology  exposure 


Illegal  wiretapping 


SPIT 


Trade  performance 
for  security 


Everyone  worries 
about  security 

DoS  attacks  and 
overloads  are  biggest 
worry 
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Percent  of  Next  Gen  Voice 
Respondents  Rating  6 or  7 

Source:  Service  Provider  Plans  for  Next  Gen  Voice  2006  (July  2006) 
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Security  Threat  Comments  Impact 

VoIP  over 
Internet  - free, 
anonymous 

VoIP  over 
Internet  - fee, 
not  anonymous 

VoIP  over 
managed 
network 

Security  Solution 

DoS  and  DOoS  -Requires  sophisticated  attack 

attacks  capable  of  covering  tracks: 

(service  provider  -Catastrophic  impact  as  alt 

infrastructure}  subscribers  are  impacted 

1 

3 

2 

-Access  control  and  packet 
filtering: 

-Topology  hiding  and 
disintermediation; 

-Rate  limiting  and  call  gapping; 
-Dynamic  attacker  detection  and 
blocking 

-Impact  varies  based  on  service 

Viruses  and  malware  provider  infrastructure,  enterprise  3 to  8 

IP  PBX  or  residential  PC 

5 

5 

5 

-Authentication  & authorization; 
-Deep  packet  inspection; 
-Signature  detection; 
-Authenticated  encryption 

-Requires  technical 

Service  fraud  sophistication;  5 

-Impact  depends  on  business 
model 

N/A 

5 

5 

-Bandwidth  policing; 

-QoS  marking/mapping; 
-Admission  control; 
-Authentication  & authorization; 
-Intrusion  detection 

-Requires  slightly  more  technical 
sophistication  than  SPIT; 

. . ...  u -Man-in-the-middle  requires 

dentity  theft  same  degree  of  technical 

capabilities;  2to5 

1 e mi  -Information  can  be  used  for 

other  attacks  with  various 
impacts 

8 

6 

4 

-Authentication  & authorization; 
-Authenticated  encryption 

Eavesdropping/  -Requires  technical  sophistication  2 

user  privacy  and  access  to  wiring  closets 

5 

5 

2 

-Authenticated  encryption; 
-Anonymize  user  information 

gpiT  -Requires  little  sophistication;  1 

-Annoying  more  than  harmful 

10 

8 

6 

-Authentication  & authorization; 
-Call  screening  and  filtering; 
-Access  control; 

-Topology  hiding; 

-Intrusion  detection 

Note:  probability  and  impact  ratings  on  1 to  10  scale  with  1 being  low  and  10  being  high 

Security  feature  requirement 


IMS  function/feature 


DoS/DDoS 

attacks 


Traffic 

overloads 


Viruses  & 
malware 


Service 

fraud 


Identity  Eves  - 

theft  dropping 


SPIT 


Access  control  - static  IP  address  list 
Access  control  - dynamic  IP  address  list 


Core  IMS  functions,  not  applicable  for  UE 

Not  addressed  W 
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Topology  hiding  (NAPT  at  L3  & L5) 


l-BCF  only,  THIG  sub-function  IIMM|MMMMMMMMMMMIIIII 


Authentication  - subscriber  & CSCF 
Authorization  - subscriber 


IPSec,  SIP  digest 
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FISS  function 
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Signaling  encryption 
Media  encryption 

Admission  control  - l/S-CSCF  constraints 
Admission  control  - network  bandwidth  constraints 
Admission  control  - user  limits:  sessions  (#) 
Admission  control  - user  limits:  bandwidth 


IPSec 

Not  addressed 


SIP  message  & MIME  attachment  filtering/inspection  Not  addressed 


Signaling  rate  monitoring  & policing 
Bandwidth  monitoring  & policing 


Not  addressed 
Not  addressed 


Call  gapping  - destination  number 

Call  gappping  - source/destination  CSCF  or  UE 


Not  addressed 
Not  addressed 


QoS  marking/mapping  control 


Not  addressed 


DoS/D DoS  attacks  threaten 
subscriber  retention  and  revenue m 

# Types 

Malicious  attacks 
Non-malicious  - poor  behaving 
endpoints,  power  outages 

# Solution  requirements 

SBC  DoS  self-protection  ,nternet 

• Access  control  - static  & dynamic 

• Trusted  & untrusted  paths  with  policed 

queues  * 

• IDS  capabilities 

HIP  1C 

Service  infrastructure  DoS  prevent 

• Access  control  - static  & dynamic 

• Topology  hiding 

• Signaling  rate  plicing 

• Bandwidth  policing 


PSTN 
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PBX 


Viruses  & malware  can  threaten  1C 
endpoints  and  service  infrastructure 


# SIP  MIME  attachments  are  powerful  tool  for  richer  call  ID 
- vcard  text,  picture  or  video 


Potential  Trojan  horse  for  viruses  and  worms  to  general- 
purpose  server-based  voice  platforms 

SIP  softswitch,  IMS  CSCF,  SIP  servers,  app  servers 
SIP  PBX  ^ 

SIP  phones  & PCs 

VL  New  endpoint  vulnerabilities  imda 
Embedded  web  servers  - IP  phones 
_ Java  apps  - liability  or  asset? 

# Solution  requirements  ' 

Authentication  Michelangelo 

SIP  message  & MIME  attachment  filtering 
Secure  OS  environment 
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Service  fraud  risk 
is  business  model  dependant 

■ft  Business  model  dimensions 
Internet  vs.  managed  network 
Free  vs.  fee  based 
Anonymous  vs.  not  anonymous  d 

ft  Types  of  fraud 
Service  theft 
QoS  theft 

Bandwidth  theft  internet 
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Solution  requirements 
Access  control 
Authentication  - subscriber 
& SIP  signaling  elements 
Authorization  - subscriber 
Admission  control  - subscriber 
limits  - # sessions  & bandwidth 
QoS  marking/mapping  control 
Bandwidth  policing 


1 


AS  AS  AS 
AS  AS  AS 


DiffServ-3 


* 


PBX 


Identity  theft  can ’t  be  gcmc 

prevented  entirely  by  technology 

# How  do  you  know  you  are  talking  to  Bank  of  America? 


^ packet 


* Web  site  techniques  don’t  work  for  1C 
- work  for  many-one,  not  many-many 


* Solution  requirements 

- Authentication,  access  control 

- Trust  chains  - pre-established  technical  & business  relationships 


0“'  - O 3 B it'- 

’«*»•  • iff  - t-\  - =-»■ 


e 


BankotAnericj  - 


HlcWf  Stamfords 


Jh,  *wt>  * rva  - £r*/  <**<•  - 

Online  Banking 


Confirm  that  your  SiteKey  is  correct 

Imu  litcgxu  youi  Slif  M flMl  »fU»  It'  4U6  lul  |Ui 
«•  *I»«*/*H  Bin*  it  An  Min  «te  CirSrnnj  yur  n 

•jrrti»f»i«rvrij>r^nf<**  bmn 

to»ste««fcnir<>(Mtt  areui'tdlHl 


• imm  vm*  man  s. 


(*-1  J miifiHt  «il*ii  Itlm.Kit  itmlM 

TfiH  BirSi'o  iaiun1*i>  t«V»rt  rnmyrut 
c»  91 Ctofonor  jrwrrt  I 


* star? 


Eavesdropping  threat  is  over  hyped 
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Less  risk  than  email,  who  encrypts  email? 

Email  is  information  rich  (attachments),  voice  not 
Email  always  stored  on  servers,  only  voice  mail 
Email  always  stored  on  endpoints,  voice  not 


Who  is  at  risk? 

Bad  guys  - Osama,  drug  cartels, 
pedophiles,  etc. 

Law  enforcement 

Money,  love,  & health-related 

- insider  trading,  adultery,  ID  theft, 

Solution  requirements 
Authentication  - subscriber 
End-to-end  encryption  (EXPENSIVE) 

* Signaling  (TLS,  IPSec) 

• Media  (SRTP,  IPSec) 


SPIT  will  be  annoying , 

& possible  tool  for  ID  theft 


# Will  anonymous,  cheap  Yahoo  subscriber  (aka  SPITTER) 
be  able  to  call  money-paying  Verizon  subscriber  to  solicit 
- phone  sex,  penis  enlargement,  Viagra  pill  purchase? 
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Techniques  that  won’t  work 
Access  control  - static 
Content  filtering 
Charging  - $/call 
Regulation 

Solution  requirements 
Access  control 

- dynamic,  IDS-like 
Authentication 
Admission  control 

- subscriber  limits  (#) 

Trust  chains  - pre-established 
technical  & business  relationships 


very  on 


Who  is  responsible  for  security? 


The  individual 


The  organization 


The  future  1C  net? 

The  Internet 


Net- Net 


# Security  issues  are  very  complex  and  multi-dimensional 


# Security  investments  are  business  insurance  decisions 

Life  - DoS  attack  protection 
Health  - SLA  assurance 
Property  - service  theft  protection 
Liability  - SPIT  & virus  protection 

# Degrees  of  risk 

Internet-connected  ITSP 
Facilities-based  HIP  residential  services 
Facilities-based  HIP  business  services 
Peering 

NEVER  forget  disgruntled  Malcom,  OfficeSpace 

# Session  border  controllers  enable  service  providers 
to  insure  their  success 


Net-SAFE  - security  requirements 
framework  for  session  border  control 

Protect  against  SBC  DoS  attacks  & overloads 
(malicious  & non-malicious) 


SBC  DoS 
protection 


Fraud 

prevention 


Access 

control 


Service 

infrastructure 

DoS 

prevention 


Topology 
hiding 
& privacy 


VPN 

separation 


Prevent  misuse  & fraud; 
protect  against 
service  theft 


Session-aware 
access  control 
for  signaling 
& media 


Prevent  DoS 
attacks  on  service 
infrastructure  & 
subscribers 


Monitor,  report  & record 
attacks  & attackers; 
provide  audit  trails 


Complete 

service 
infrastructure 
hiding  & user 
privacy  support 


Support  for  L2  and  L3  VPN 
services  and  security 


Acme  Packet  Net-Net  SD  flawlessly  passed 
all  of  CT  Labs'  grueling  attack  tests” 


# Total  of  34  different  test  cases,  using  over  4600  test  scripts 


* No  failed  or  dropped  calls,  even  for  new  calls 
made  during  attacks 

* No  lost  RTP  packets  during  attacks 

* Protected  the  service  provider  equipment  - did  not 
allow  flood  attacks  into  core,  stopped  packets  at  edge 


# SD  performance  not  impacted  during  attack 


- SD  CPU  utilization  - only 
10%  increase 

- Signaling  latency  - only 
2 ms  average  increase 

- RTP  jitter- less 
than  1 ms  increase 
(not  measurable  by 
test  equipment) 


Acme  Packet  SBC 
DoS/DDoS  protection 


* 


* 


Network  processor  (NPU)  -based  protection 

- L3/4  (TCP,  SYN,  ICMP,  etc.)  & signaling  attack  detection  & prevention  - 

- Dynamic  & static  ACLs  (permit  & deny)  to  SPU 

- Trusted  & untrusted  paths  to  SPU  w/configurable  bandwidth  allocation  & 
bandwidth  policing  per  session 

- Trusted  devices  - guaranteed  signaling  rates  & access  fairness 


- Untrusted  devices  - can  access  unused 
trusted  bandwidth 


Separate  queues  for  ICMP,  ARP,  telnet,  etc. 

Reverse  Path  Forwarding  (uRPF) 
detection  - signaling  & media 

Overload  prevention  - 10  Gbps 
NPUs  > 8 Gbps  network  interfaces 
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Signaling  processor  (SPU) 
-based  protection 

- Overload  protection  threshold 
(%  SPU)  w/graceful  call  rejection 

- Per-device  dynamic  trust-binding 
promotes/demotes  devices 


Network 

processor 


Signaling 

processor 


Intelligent 

traffic 

manager 


QoS 
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■ Security 
processor 
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The  leader 

in  session  border  control 
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for  trusted,  first  class 
interactive  communications 


